Discussion:
Why does msinfo32.exe take 49.9 of resources and freeze the computer?
(too old to reply)
pyotr filipivich
2017-12-19 03:01:24 UTC
Permalink
I have taken to running Process Monitor with the processes sorted
by CPU usage, so that I can "quickly" suspend msinfo32exe when it
grabs "half" the cpu and freezes everything else. Usually I notice
this when PaleMoon is running and suddenly the mouse pointer just
stops.
Then begins the move mouse on the desk and aim for the procmon
window, then try to get the pointer on msinfo32 and then suspending/
terminating it is "simple".

Googleing it leads me to the conclusion that MS seems to believe I
really do want to run it, when what I want to know is why is it
running in the first place? Why is it running up to eight copies, and
why is it hogging resources so much?

Does anyone have any good ideas on how to prevent this, or is this
another MS "enhancement to my computer experience" whether I like it
or not?

grumble

pyotr
--
pyotr filipivich
The question was asked: "Is Hindsight overrated?"
In retrospect, it appears to be.
VanguardLH
2017-12-19 04:12:56 UTC
Permalink
I have taken to running Process Monitor with the processes sorted by
CPU usage, so that I can "quickly" suspend msinfo32exe when it grabs
"half" the cpu and freezes everything else. Usually I notice this
when PaleMoon is running and suddenly the mouse pointer just stops.
Then begins the move mouse on the desk and aim for the procmon window,
then try to get the pointer on msinfo32 and then suspending/
terminating it is "simple".
Googleing it leads me to the conclusion that MS seems to believe I
really do want to run it, when what I want to know is why is it
running in the first place? Why is it running up to eight copies,
and why is it hogging resources so much?
Does anyone have any good ideas on how to prevent this, or is this
another MS "enhancement to my computer experience" whether I like it
or not?
Did you leave logging on and on and on and ... All those events are
getting logged while ProcMon is running. Filtering only changes what
you see. ALL events are still logged. When that logfile gets huge, not
only does it require lots of resources to keep updating such a huge file
but can also eat up your free disk space with a huge log file. Did you
try clearing its logfile to start anew each time you start ProcMon?

By Process Monitor, I have to assume you are talking about SysInternals'
(now owned by Microsoft) Process Monitor, not the Performance Monitor
included in Windows. Neither of those start msinfo32.exe so you started
that program. The problem with the huge logfile mentioned above is when
using Process Monitor (ProcMon). I haven't use Performance Monitor
often enough to know how big its logfile will get or if it even has a
logfile function.

Stop the monitoring in ProcMon (Ctrl+E or click the magnifying glass
toolbar button). Clear its logfile (Ctrl+X or eraser-across-page
toolbar icon). Then start monitoring anew (Ctrl+E to toggle on the
monitoring).

Once I realized ProcMon was storing ALL events in a logfile and that was
causing the slowdown, I realized it was a user error in how I was using
ProcMon. I thought it was logging only the events that I allowed via
filtering. Nope, it logs them all and filtering is just a view of what
you want to select from the entire logfile.
pyotr filipivich
2017-12-19 05:12:02 UTC
Permalink
Post by VanguardLH
I have taken to running Process Monitor with the processes sorted by
CPU usage, so that I can "quickly" suspend msinfo32exe when it grabs
"half" the cpu and freezes everything else. Usually I notice this
when PaleMoon is running and suddenly the mouse pointer just stops.
Then begins the move mouse on the desk and aim for the procmon window,
then try to get the pointer on msinfo32 and then suspending/
terminating it is "simple".
Googleing it leads me to the conclusion that MS seems to believe I
really do want to run it, when what I want to know is why is it
running in the first place? Why is it running up to eight copies,
and why is it hogging resources so much?
Does anyone have any good ideas on how to prevent this, or is this
another MS "enhancement to my computer experience" whether I like it
or not?
Did you leave logging on and on and on and ... All those events are
getting logged while ProcMon is running. Filtering only changes what
you see. ALL events are still logged. When that logfile gets huge, not
only does it require lots of resources to keep updating such a huge file
but can also eat up your free disk space with a huge log file. Did you
try clearing its logfile to start anew each time you start ProcMon?
I don't have ProcMon logging anything.

And msinfo32 will start up before I start Procmon. What happens
is all of a sudden the computer drops to a crawl, the mouse pointer
doesn't move, if I am patient, I'll work it over to a short cut, start
it, wait for it, work the pointer to the column CPU, sort by usage,
and work it down to msinfo32, and evenutal I'm able to suspend. (If I
am not patient, I use the BRS interupt to reboot)


Basically, I'm moving the mouse, then waiting for the screen to
catch up, then seeing if where I moved the mouse 15 seconds ago is the
correct spot, if not try again, and see if it's now in the correct
spot, and repeat - until either I can kill msinfo32, or it deigns to
return the use of the mouse/keyboard/computer in general to me.

Which still leaves me with this annoying problem that msinfo32 is
starting up just to start up and interfere with my computer experience
- whether I had procmonitor running or not. At least with procmonitor
running, I cut out several steps where I'm moving and clicking hoping
I found the shortcut when the mouse gets polled.
--
pyotr filipivich
Next month's Panel: Graft - Boon or blessing?
Char Jackson
2017-12-19 07:20:25 UTC
Permalink
On Mon, 18 Dec 2017 21:12:02 -0800, pyotr filipivich
Post by pyotr filipivich
Post by VanguardLH
I have taken to running Process Monitor with the processes sorted by
CPU usage, so that I can "quickly" suspend msinfo32exe when it grabs
"half" the cpu and freezes everything else. Usually I notice this
when PaleMoon is running and suddenly the mouse pointer just stops.
Then begins the move mouse on the desk and aim for the procmon window,
then try to get the pointer on msinfo32 and then suspending/
terminating it is "simple".
Googleing it leads me to the conclusion that MS seems to believe I
really do want to run it, when what I want to know is why is it
running in the first place? Why is it running up to eight copies,
and why is it hogging resources so much?
Does anyone have any good ideas on how to prevent this, or is this
another MS "enhancement to my computer experience" whether I like it
or not?
Did you leave logging on and on and on and ... All those events are
getting logged while ProcMon is running. Filtering only changes what
you see. ALL events are still logged. When that logfile gets huge, not
only does it require lots of resources to keep updating such a huge file
but can also eat up your free disk space with a huge log file. Did you
try clearing its logfile to start anew each time you start ProcMon?
I don't have ProcMon logging anything.
And msinfo32 will start up before I start Procmon. What happens
is all of a sudden the computer drops to a crawl, the mouse pointer
doesn't move, if I am patient, I'll work it over to a short cut, start
it, wait for it, work the pointer to the column CPU, sort by usage,
and work it down to msinfo32, and evenutal I'm able to suspend. (If I
am not patient, I use the BRS interupt to reboot)
Basically, I'm moving the mouse, then waiting for the screen to
catch up, then seeing if where I moved the mouse 15 seconds ago is the
correct spot, if not try again, and see if it's now in the correct
spot, and repeat - until either I can kill msinfo32, or it deigns to
return the use of the mouse/keyboard/computer in general to me.
Which still leaves me with this annoying problem that msinfo32 is
starting up just to start up and interfere with my computer experience
- whether I had procmonitor running or not. At least with procmonitor
running, I cut out several steps where I'm moving and clicking hoping
I found the shortcut when the mouse gets polled.
Seems like the big question is why is msinfo32.exe starting and running?
That's most odd. You should be able to prevent that from happening.
--
Char Jackson
J. P. Gilliver (John)
2017-12-19 12:31:12 UTC
Permalink
In message <***@4ax.com>, Char Jackson
<***@none.invalid> writes:
[]
Post by Char Jackson
Seems like the big question is why is msinfo32.exe starting and running?
That's most odd. You should be able to prevent that from happening.
That does seem to be the question. Then, as VanguardLH says it should
run in a second or so, I think Paul's question of whether it's malware
that has replaced your normal msinfo32.exe might be a good question.

A lazy way forward, especially if you don't need what it does, would be
to rename it to something else, so that whatever is starting it would
not succeed in doing so. However, I don't know what it actually _does_,
so if Windows needs it, that could break your system. If Windows
_doesn't_ need it, then you _might_ get some indication - such as a
popup window headed Fred saying "Fred can't find msinfo" - of what is
triggering it, though you might not.
--
J. P. Gilliver. UMRA: 1960/<1985 MB++G()AL-IS-Ch++(p)***@T+H+Sh0!:`)DNAf

Grief generates a huge energy in you and it's better for everybody if you
harness it to do something. - Judi Dench, RT 2015/2/28-3/6
pyotr filipivich
2017-12-19 17:01:11 UTC
Permalink
Post by J. P. Gilliver (John)
[]
Post by Char Jackson
Seems like the big question is why is msinfo32.exe starting and running?
That's most odd. You should be able to prevent that from happening.
That does seem to be the question. Then, as VanguardLH says it should
run in a second or so, I think Paul's question of whether it's malware
that has replaced your normal msinfo32.exe might be a good question.
A lazy way forward, especially if you don't need what it does, would be
to rename it to something else, so that whatever is starting it would
not succeed in doing so. However, I don't know what it actually _does_,
so if Windows needs it, that could break your system. If Windows
_doesn't_ need it, then you _might_ get some indication - such as a
popup window headed Fred saying "Fred can't find msinfo" - of what is
triggering it, though you might not.
Sounds like a plan.

Ufda.

pyotr
--
pyotr filipivich
Next month's Panel: Graft - Boon or blessing?
pyotr filipivich
2017-12-19 17:01:11 UTC
Permalink
Post by Char Jackson
Post by pyotr filipivich
Basically, I'm moving the mouse, then waiting for the screen to
catch up, then seeing if where I moved the mouse 15 seconds ago is the
correct spot, if not try again, and see if it's now in the correct
spot, and repeat - until either I can kill msinfo32, or it deigns to
return the use of the mouse/keyboard/computer in general to me.
Which still leaves me with this annoying problem that msinfo32 is
starting up just to start up and interfere with my computer experience
- whether I had procmonitor running or not. At least with procmonitor
running, I cut out several steps where I'm moving and clicking hoping
I found the shortcut when the mouse gets polled.
Seems like the big question is why is msinfo32.exe starting and running?
That's most odd. You should be able to prevent that from happening.
If I knew why, I would. Grumble. But as I said earlier -
querying MS on the subject tells me all the good things it des and why
I might want to run it. (I had similar miscommunication years back.
Query: why can't I access my file?" Answer "Access is a powerful
database program..." But I digress.)

This morning Msinfo grabbed control of my computer before I'd
started process monitor.
--
pyotr filipivich
Next month's Panel: Graft - Boon or blessing?
VanguardLH
2017-12-19 07:47:01 UTC
Permalink
Post by pyotr filipivich
Post by VanguardLH
I have taken to running Process Monitor with the processes sorted by
CPU usage, so that I can "quickly" suspend msinfo32exe when it grabs
"half" the cpu and freezes everything else. Usually I notice this
when PaleMoon is running and suddenly the mouse pointer just stops.
Then begins the move mouse on the desk and aim for the procmon window,
then try to get the pointer on msinfo32 and then suspending/
terminating it is "simple".
Googleing it leads me to the conclusion that MS seems to believe I
really do want to run it, when what I want to know is why is it
running in the first place? Why is it running up to eight copies,
and why is it hogging resources so much?
Does anyone have any good ideas on how to prevent this, or is this
another MS "enhancement to my computer experience" whether I like it
or not?
Did you leave logging on and on and on and ... All those events are
getting logged while ProcMon is running. Filtering only changes
what you see. ALL events are still logged. When that logfile gets
huge, not only does it require lots of resources to keep updating
such a huge file but can also eat up your free disk space with a
huge log file. Did you try clearing its logfile to start anew each
time you start ProcMon?
I don't have ProcMon logging anything.
As soon as you enable it capturing events, yep, it is LOGGING. The
default when loading ProcMon (and after defining any filters) is to
start capturing. Even if you disable capture in a session of ProcMon
and clear its log, capture is enabled by default in the next session you
start when loading ProcMon. That's why you can see past events that it
logged. That's why you can define filters to change the *view* of what
you see in the log (not what gets added to the log -- which is
EVERYTHING gets put into the log). If you don't enable capture mode
then you won't see any new events so there is little use (just past past
events, not new events) for ProcMon.
Post by pyotr filipivich
And msinfo32 will start up before I start Procmon.
What's the point of leaving msinfo32 loaded if it will never change
anything it listed from the prior scan? You can load it, look at its
scan results, maybe save it, and then exit. Or you can load msinfo32,
look at what it scanned now, and then later do a refresh to see if there
were any changes.

I don't see a setting in msinfo32 that has it re-poll for hardware
changes at some periodic interval. If ProcMon is showing event from the
msinfo32.exe process then that program is [still] scanning. On my
computer, the scanning is done within a second of loading msinfo32
(versus Piriform's Speccy that takes much longer to do a scan). If
msinfo32.exe is sucking up half the CPU usage then it is scanning (the
first one it does when loaded or by having it do a refresh).
Post by pyotr filipivich
What happens
is all of a sudden the computer drops to a crawl, the mouse pointer
doesn't move, if I am patient, I'll work it over to a short cut, start
it, wait for it, work the pointer to the column CPU, sort by usage,
and work it down to msinfo32, and evenutal I'm able to suspend. (If I
am not patient, I use the BRS interupt to reboot)
Either the problem is with msinfo32 (which should not be sucking up lots
of CPU time because its scan should be quick) or because you have a huge
logfile in ProcMon which is choking the data bus on your mobo between
your memory and CPU and storage media.
Post by pyotr filipivich
Which still leaves me with this annoying problem that msinfo32 is
starting up just to start up and interfere with my computer experience
- whether I had procmonitor running or not. At least with procmonitor
running, I cut out several steps where I'm moving and clicking hoping
I found the shortcut when the mouse gets polled.
msinfo32 doesn't "just start up". YOU load it manually, as a startup
program you added to your Startup folder (or the All Users one), as a
scheduled event, or by some other means msinfo32.exe because a startup
program. If you don't want it to load on logging into Windows, try
using msconfig.exe to see if it is listed as a Startup Item. If it is
not listed there, use SysInternals' AutoRuns to check more startup
locations (in the file system or in the registry).
pyotr filipivich
2017-12-19 17:01:11 UTC
Permalink
Post by VanguardLH
Post by pyotr filipivich
I don't have ProcMon logging anything.
As soon as you enable it capturing events, yep, it is LOGGING. The
How do I enable it to capture events? Or unable that?
--
pyotr filipivich
Next month's Panel: Graft - Boon or blessing?
VanguardLH
2017-12-19 22:43:03 UTC
Permalink
Post by pyotr filipivich
Post by VanguardLH
As soon as you enable it capturing events, yep, it is LOGGING. The
How do I enable it to capture events?
When you load ProcMon, it is already enabled to capture (logging). Even
if you disabled it in a prior session of ProcMon, a new session of
ProcMon will have logging enabled by default.
Post by pyotr filipivich
Or unable that?
Mentioned in my first reply to you.
pyotr filipivich
2017-12-19 17:01:11 UTC
Permalink
Post by VanguardLH
Post by pyotr filipivich
And msinfo32 will start up before I start Procmon.
What's the point of leaving msinfo32 loaded if it will never change
anything it listed from the prior scan? You can load it, look at its
scan results, maybe save it, and then exit. Or you can load msinfo32,
look at what it scanned now, and then later do a refresh to see if there
were any changes.
I am not starting msinfgo32.exe something else is, and I have no
idea what it is.

I want to kill it "with fire" because it locks the computer up for
between 2 to five minutes. As I didn't start it, I don't know why it
is running - or what it is doing anyway.
--
pyotr filipivich
Next month's Panel: Graft - Boon or blessing?
Paul
2017-12-19 19:44:10 UTC
Permalink
Post by pyotr filipivich
Post by VanguardLH
Post by pyotr filipivich
And msinfo32 will start up before I start Procmon.
What's the point of leaving msinfo32 loaded if it will never change
anything it listed from the prior scan? You can load it, look at its
scan results, maybe save it, and then exit. Or you can load msinfo32,
look at what it scanned now, and then later do a refresh to see if there
were any changes.
I am not starting msinfgo32.exe something else is, and I have no
idea what it is.
I want to kill it "with fire" because it locks the computer up for
between 2 to five minutes. As I didn't start it, I don't know why it
is running - or what it is doing anyway.
If you want to do an offline scan of the computer, you can make
a scanning disk with a Bitdefender download.

https://www.bitdefender.com/support/how-to-create-a-bitdefender-rescue-cd-627.html

http://download.bitdefender.com/rescue_cd/latest/bitdefender-rescue-cd.iso

To avoid trouble, you can do the necessary work on another computer.
As some malwares will prevent downloads from sites which host such tools.

*******

Your symptoms are puzzling from another point of view.

Are you running a high core count processor ? Or is it only
a dual core processor. If eight copies of the program are running,
and they're using 50% CPU, you must have something like an 8C 16T
processor. It's either that, or the Affinity of each copy of the
executable, is pointed at a specific core. Which doesn't make
a lot of sense. Normally there isn't a lot of interest in
modifying affinity settings.

https://en.wikipedia.org/wiki/Processor_affinity

In this example, Photoshop is being forced to run on CPU0 core.

Loading Image...

Paul
VanguardLH
2017-12-19 22:44:50 UTC
Permalink
I am not starting msinfgo32.exe something else is, and I have no idea
what it is.
So follow the instructions already provided to you on how to investigate
and find startup items. We're not there. You'll have to do the work.
You'll have to find the startup item that loads msinfo32.exe and delete
or disable it.
pyotr filipivich
2017-12-20 02:36:37 UTC
Permalink
Post by VanguardLH
I am not starting msinfgo32.exe something else is, and I have no idea
what it is.
So follow the instructions already provided to you on how to investigate
and find startup items. We're not there. You'll have to do the work.
You'll have to find the startup item that loads msinfo32.exe and delete
or disable it.
Sorry, my problem is that far too often, by the time I can "do"
anything - msinfo has completed its task and closed down.
--
pyotr filipivich
Next month's Panel: Graft - Boon or blessing?
Mayayana
2017-12-20 03:29:42 UTC
Permalink
"pyotr filipivich" <***@mindspring.com> wrote

| Sorry, my problem is that far too often, by the time I can "do"
| anything - msinfo has completed its task and closed down.

If it were me I'd start by checking Autoruns and
the enabled services. If there's nothing obvious then
check Process Explorer when msinfo runs to see if
you can figure out the parent process, or at least
what else is running. Failing that, move or delete
msinfo. I don't think it's a particularly valuable
program. It just uses WMI to collect system info.
You can do that yourself with a script, or with a
free system info program.
On my XP systems it won't run anyway because
I always disable Windows File Protection and
that takes the whole help system with it. Msinfo32
is another casualty. I've never missed it.
pyotr filipivich
2017-12-20 15:54:19 UTC
Permalink
Post by Mayayana
| Sorry, my problem is that far too often, by the time I can "do"
| anything - msinfo has completed its task and closed down.
If it were me I'd start by checking Autoruns and
the enabled services. If there's nothing obvious then
check Process Explorer when msinfo runs to see if
you can figure out the parent process, or at least
what else is running. Failing that, move or delete
msinfo. I don't think it's a particularly valuable
program. It just uses WMI to collect system info.
You can do that yourself with a script, or with a
free system info program.
On my XP systems it won't run anyway because
I always disable Windows File Protection and
that takes the whole help system with it. Msinfo32
is another casualty. I've never missed it.
There is so much in Windows which is "just so cool" if you hack
Windows, but not if you intend to just use the computer for other
work.

grumble grouch
--
pyotr filipivich
Next month's Panel: Graft - Boon or blessing?
VanguardLH
2017-12-20 04:12:00 UTC
Permalink
Post by pyotr filipivich
Post by VanguardLH
Post by pyotr filipivich
I am not starting msinfgo32.exe something else is, and I have no
idea what it is.
So follow the instructions already provided to you on how to
investigate and find startup items. We're not there. You'll have
to do the work. You'll have to find the startup item that loads
msinfo32.exe and delete or disable it.
Sorry, my problem is that far too often, by the time I can "do"
anything - msinfo has completed its task and closed down.
That won't affect that it is either a startup program (so use the tools
mentioned to find it) or malware (so do a scan using something better
than what Microsoft dumps in Windows). Is there a reason you won't
check the startup programs or do an AV scan?
pyotr filipivich
2017-12-20 15:54:19 UTC
Permalink
Post by VanguardLH
Post by pyotr filipivich
Post by VanguardLH
Post by pyotr filipivich
I am not starting msinfgo32.exe something else is, and I have no
idea what it is.
So follow the instructions already provided to you on how to
investigate and find startup items. We're not there. You'll have
to do the work. You'll have to find the startup item that loads
msinfo32.exe and delete or disable it.
Sorry, my problem is that far too often, by the time I can "do"
anything - msinfo has completed its task and closed down.
That won't affect that it is either a startup program (so use the tools
mentioned to find it) or malware (so do a scan using something better
than what Microsoft dumps in Windows). Is there a reason you won't
check the startup programs or do an AV scan?
the AV scans say I'm good (malwarebites, avast, comodo)

there is nothing in the startup menus which I can determine starts
msinfo32.exe. Part of the problem is, I've yet to find out why
msinfo32.exe is being run _at all_, other than apparently because MS
thinks it a neat idea to run it.
--
pyotr filipivich
Next month's Panel: Graft - Boon or blessing?
Paul
2017-12-20 19:23:13 UTC
Permalink
Post by pyotr filipivich
Post by VanguardLH
Post by pyotr filipivich
Post by VanguardLH
Post by pyotr filipivich
I am not starting msinfgo32.exe something else is, and I have no
idea what it is.
So follow the instructions already provided to you on how to
investigate and find startup items. We're not there. You'll have
to do the work. You'll have to find the startup item that loads
msinfo32.exe and delete or disable it.
Sorry, my problem is that far too often, by the time I can "do"
anything - msinfo has completed its task and closed down.
That won't affect that it is either a startup program (so use the tools
mentioned to find it) or malware (so do a scan using something better
than what Microsoft dumps in Windows). Is there a reason you won't
check the startup programs or do an AV scan?
the AV scans say I'm good (malwarebites, avast, comodo)
there is nothing in the startup menus which I can determine starts
msinfo32.exe. Part of the problem is, I've yet to find out why
msinfo32.exe is being run _at all_, other than apparently because MS
thinks it a neat idea to run it.
Why do you assume Microsoft is doing this ?

You do realize that a *lot* of Windows malfunctions are
caused by third parties, not Microsoft.

I've still not seen your analysis of what is
actually running. Is it *really* a copy of msinfo32.exe
from the System folder ? Or is it a third party
program with that name, running from your
Downloads folder ?

If there is a rootkit present on your machine (3% of
malware uses rootkits), then they can change the *appearance*
of virtually any file. They can be running a copy of
msinfo32 which does not have the same byte content
as the copy on the disk drive. You can upload the
file to virustotal, and it will scan clean, because
it isn't actually the file that is currently running
on the computer. So there will be some cases,
where you will be confused by what owns the machine,
and will never get a clear picture of the situation.

If you boot a Linux LiveCD, that allows an offline analysis
of the disk content. If you find a copy of msinfo32.exe then,
the rootkit is not actively modifying it. But at shutdown,
the rootkit can leave things in a state, so there are
"few tracks" left of what it has done.

Some malware, stores content outside of data clusters,
up in the last fraction of 8MB of the partition. This
is not officially part of the file system, and a
great place to store things.

One of the reasons I've zeroed entire drives, before
doing an OS restore, is so that the end of the partition
will be clean, and a canary indication of trouble if
it ends up dirty again.

Example of a tool for rootkits.

https://support.kaspersky.com/viruses/solutions/5353

The TDSS rootkit modifies the atapi.sys file, and
changes some stuff on the fly. So it modifies some
things in such a way, that *your* attempts to scan
it while the OS runs, always reveal a clean copy,
while the copy the OS is using, is infected.

https://en.wikipedia.org/wiki/Alureon

It's highly unlikely this is running on your machine...
but the howls of grief when Microsoft pushed out
a change to atapi.sys, indicates that there are
people out there with active copies of that running
on the computer. The incidence is not zero. And
even if they put some guys in jail, others will
continue using the vector.

Summary: It could be a totally naive instance, of
eight copies of an obscure utility deciding
to "run on their own". But this ignores the
other extreme possibilities, of what it might
be. I'm not a malware expert, but I've read enough
discouraging reports to never discount any
possibility when it comes to computer
malfunctions. Keep an open mind while you
work on this. What you're seeing is not normal.

When you see processes doing a lot of work on the computer,
watch your hard drive LED. If the processes are doing
a lot of reads and writes, that could be ransomware.
If it is Ransomware, your files will magically
end up with new file extensions...

"When first released, the extension used for encrypted
files was .Locky. Other versions utilized the .zepto,
.odin, .shit, .thor, .aesir, and .zzzzz extensions
for encrypted files. The current version, released
in December 2016, utilizes the .osiris extension
for encrypted files."

I first looked up that article, when someone in the other
groups, started seeing ".osiris" extensions on his files.
And by then, it was too late. It took *months* to undo
the damage, reinstall OSes and so on. The individual
did not have complete system backups, just a few copies
of his Downloads folder.

Paul
pyotr filipivich
2017-12-20 21:18:48 UTC
Permalink
Post by Paul
Post by pyotr filipivich
Post by VanguardLH
Post by pyotr filipivich
Post by VanguardLH
Post by pyotr filipivich
I am not starting msinfgo32.exe something else is, and I have no
idea what it is.
So follow the instructions already provided to you on how to
investigate and find startup items. We're not there. You'll have
to do the work. You'll have to find the startup item that loads
msinfo32.exe and delete or disable it.
Sorry, my problem is that far too often, by the time I can "do"
anything - msinfo has completed its task and closed down.
That won't affect that it is either a startup program (so use the tools
mentioned to find it) or malware (so do a scan using something better
than what Microsoft dumps in Windows). Is there a reason you won't
check the startup programs or do an AV scan?
the AV scans say I'm good (malwarebites, avast, comodo)
there is nothing in the startup menus which I can determine starts
msinfo32.exe. Part of the problem is, I've yet to find out why
msinfo32.exe is being run _at all_, other than apparently because MS
thinks it a neat idea to run it.
Why do you assume Microsoft is doing this ?
I have to start somewhere.
Post by Paul
You do realize that a *lot* of Windows malfunctions are
caused by third parties, not Microsoft.
This is true too. But MS has done enough over the years to make
me miss command lines and directory trees.
Post by Paul
I've still not seen your analysis of what is
actually running. Is it *really* a copy of msinfo32.exe
from the System folder ? Or is it a third party
program with that name, running from your
Downloads folder ?
Downloads is empty. I keep it hat way mostly. Have other places
where I pre-sort things I download.

Using Process Hacker - msinfo32 is not running now.

From prior experience, msinfo32.exe is/was apparently called by
cmdagent.exe , from "C:\Program Files\COMODO\COMODO Internet
Security"
cmdagent ( was started one hour and seven minutes ago (when I
rebooted the computer)) by "services.exe" (from windows\system32).
Services is called by wininit.exe, also in system32.
Post by Paul
If there is a rootkit present on your machine (3% of
malware uses rootkits), then they can change the *appearance*
of virtually any file. They can be running a copy of
msinfo32 which does not have the same byte content
as the copy on the disk drive. You can upload the
file to virustotal, and it will scan clean, because
it isn't actually the file that is currently running
on the computer. So there will be some cases,
where you will be confused by what owns the machine,
and will never get a clear picture of the situation.
If you boot a Linux LiveCD, that allows an offline analysis
of the disk content. If you find a copy of msinfo32.exe then,
the rootkit is not actively modifying it. But at shutdown,
the rootkit can leave things in a state, so there are
"few tracks" left of what it has done.
Some malware, stores content outside of data clusters,
up in the last fraction of 8MB of the partition. This
is not officially part of the file system, and a
great place to store things.
One of the reasons I've zeroed entire drives, before
doing an OS restore, is so that the end of the partition
will be clean, and a canary indication of trouble if
it ends up dirty again.
Clever. I shall make a note of that.
Post by Paul
Example of a tool for rootkits.
https://support.kaspersky.com/viruses/solutions/5353
The TDSS rootkit modifies the atapi.sys file, and
changes some stuff on the fly. So it modifies some
things in such a way, that *your* attempts to scan
it while the OS runs, always reveal a clean copy,
while the copy the OS is using, is infected.
https://en.wikipedia.org/wiki/Alureon
It's highly unlikely this is running on your machine...
but the howls of grief when Microsoft pushed out
a change to atapi.sys, indicates that there are
people out there with active copies of that running
on the computer. The incidence is not zero. And
even if they put some guys in jail, others will
continue using the vector.
Summary: It could be a totally naive instance, of
eight copies of an obscure utility deciding
to "run on their own". But this ignores the
other extreme possibilities, of what it might
be. I'm not a malware expert, but I've read enough
discouraging reports to never discount any
possibility when it comes to computer
malfunctions. Keep an open mind while you
work on this. What you're seeing is not normal.
From what I've been able to sus out - msinfo gets run "to gather
information about your computer, to diagnose issues with your
computer, or to access other tools"
Post by Paul
When you see processes doing a lot of work on the computer,
watch your hard drive LED. If the processes are doing
a lot of reads and writes, that could be ransomware.
If it is Ransomware, your files will magically
end up with new file extensions...
"When first released, the extension used for encrypted
files was .Locky. Other versions utilized the .zepto,
.odin, .shit, .thor, .aesir, and .zzzzz extensions
for encrypted files. The current version, released
in December 2016, utilizes the .osiris extension
for encrypted files."
I first looked up that article, when someone in the other
groups, started seeing ".osiris" extensions on his files.
And by then, it was too late. It took *months* to undo
the damage, reinstall OSes and so on. The individual
did not have complete system backups, just a few copies
of his Downloads folder.
Thanks.
Post by Paul
Paul
--
pyotr filipivich
Next month's Panel: Graft - Boon or blessing?
Paul
2017-12-20 23:31:05 UTC
Permalink
Post by pyotr filipivich
From prior experience, msinfo32.exe is/was apparently called by
cmdagent.exe , from "C:\Program Files\COMODO\COMODO Internet
Security"
cmdagent ( was started one hour and seven minutes ago (when I
rebooted the computer)) by "services.exe" (from windows\system32).
Services is called by wininit.exe, also in system32.
I see one reference in Google to this. Is this real ?

Have a look through your Comodo folders for artifacts.

C:\ProgramData\Comodo\Cis\telemetry\msinfo32

Paul
pyotr filipivich
2017-12-21 04:03:22 UTC
Permalink
Post by Paul
Post by pyotr filipivich
From prior experience, msinfo32.exe is/was apparently called by
cmdagent.exe , from "C:\Program Files\COMODO\COMODO Internet
Security"
cmdagent ( was started one hour and seven minutes ago (when I
rebooted the computer)) by "services.exe" (from windows\system32).
Services is called by wininit.exe, also in system32.
I see one reference in Google to this. Is this real ?
What is real? That cmdagent.exe is called by services.exe? or
that services.exe is called by wininit.exe?
Post by Paul
Have a look through your Comodo folders for artifacts.
C:\ProgramData\Comodo\Cis\telemetry\msinfo32
Only thing in there was
msinfo_cb44cdce828a88b917eda4bdb6ef70aac6c9122.nfo size 14.2MB from
this morning
which had all the system info, but is no longer there to be
accessed. (My bad, I deleted it, and Recycle Bin can neither restore
or display the contents.)
Post by Paul
Paul
--
pyotr filipivich
Next month's Panel: Graft - Boon or blessing?
VanguardLH
2017-12-21 04:49:02 UTC
Permalink
Only thing in there was msinfo_cb44cdce828a88b917eda4bdb6ef70aac6c9122.nfo
size 14.2MB from this morning which had all the system info, but is
no longer there to be accessed. (My bad, I deleted it, and Recycle
Bin can neither restore or display the contents.)
NFO files are exports from msinfo32.exe. While msinfo32 itself might
run quickly (but depends on how fast is your hardware+software
platform), exporting its records to an .nfo file takes a LOT longer.
With 8 instances of it running concurrently and each dumping to an
output file its scan results, that could take a very long time during
which the CPU can be busy along with pushing a lot of bytes over the
data bus. Takes time to write those 14 megabytes, especially if doing
it 8 times.

Don't know what hardware and software you have that would result in a
14MB NFO file. Using File -> Save on my PC resulted in a 1 MB file.
That yours is 14MB in size could mean you have a lot more to report,
that the file is somehow getting bloated, or maybe it is an aggregate
report from multiple exports from msinfo32. Somehow msinfo32 (if it is
the one provided by Microsoft in Windows) is getting abused.

Other than you manually running msinfo32.exe, the only other reason that
I can figure for some software to use it is for reporting information to
the author/owner of that other software. Maybe Comodo or something else
you use employs msinfo32.exe to report system information as part of
their troubleshooting report. If cmdagent.exe is part of a Comodo
program (the product name was not identified) and it is loading
msinfo32.exe then perhaps you enabled some error reporting or tracking
feature that keeps creating system reports (to supposed be sent to
Comodo now or sometime later).
VanguardLH
2017-12-20 20:52:18 UTC
Permalink
Post by pyotr filipivich
there is nothing in the startup menus which I can determine starts
msinfo32.exe. Part of the problem is, I've yet to find out why
msinfo32.exe is being run _at all_,
The Start menu's Startup folder (under your profile and under the All
Users profile) is just one of *MANY* places to specify a program loads
on Windows load, on login, on an event, as a scheduled task, etc. Did
you actually yet use msconfig.exe to look at the list of startup items?
If it is listed in msconfig then you need something more robust to list
all startup locations, like SysInternals' AutoRuns (where you can even
search on "msinfo" to find it is defined in the dozens and dozens of
startup locations).
Post by pyotr filipivich
other than apparently because MS thinks it a neat idea to run it.
Wrong. No version of Windows has ever had msinfo32.exe as a default
startup program.
pyotr filipivich
2017-12-21 04:03:22 UTC
Permalink
Post by VanguardLH
Post by pyotr filipivich
there is nothing in the startup menus which I can determine starts
msinfo32.exe. Part of the problem is, I've yet to find out why
msinfo32.exe is being run _at all_,
The Start menu's Startup folder (under your profile and under the All
Users profile) is just one of *MANY* places to specify a program loads
on Windows load, on login, on an event, as a scheduled task, etc. Did
you actually yet use msconfig.exe to look at the list of startup items?
If it is listed in msconfig then you need something more robust to list
all startup locations, like SysInternals' AutoRuns (where you can even
search on "msinfo" to find it is defined in the dozens and dozens of
startup locations).
I have checked through cc-cleaner. for what is loaded at startup.
C:\Program Files\COMODO\COMODO Internet Security\cstray.exe
is the only Comodo program 'loaded'.
Post by VanguardLH
Post by pyotr filipivich
other than apparently because MS thinks it a neat idea to run it.
Wrong. No version of Windows has ever had msinfo32.exe as a default
startup program.
Which is not the problem. The problem is, that when msinfo32 is
loaded and run, it hogs enough resources that for the next three to
five minutes, my computer is "closed for lunch". If lucky, I might
be able to get to the process msinfo32.exe before it is done and kill
it. Just as often, by the time I can do anything, the process has
closed and my computer is now "back from lunch" and ready to resume
working.
--
pyotr filipivich
Next month's Panel: Graft - Boon or blessing?
VanguardLH
2017-12-21 04:37:31 UTC
Permalink
Post by pyotr filipivich
Post by VanguardLH
Post by pyotr filipivich
there is nothing in the startup menus which I can determine starts
msinfo32.exe. Part of the problem is, I've yet to find out why
msinfo32.exe is being run _at all_,
The Start menu's Startup folder (under your profile and under the All
Users profile) is just one of *MANY* places to specify a program loads
on Windows load, on login, on an event, as a scheduled task, etc. Did
you actually yet use msconfig.exe to look at the list of startup items?
If it is listed in msconfig then you need something more robust to list
all startup locations, like SysInternals' AutoRuns (where you can even
search on "msinfo" to find it is defined in the dozens and dozens of
startup locations).
I have checked through cc-cleaner. for what is loaded at startup.
C:\Program Files\COMODO\COMODO Internet Security\cstray.exe
is the only Comodo program 'loaded'.
Okay, don't use the suggested tool that looks in ALL startup locations.
msconfig.exe only looks in a few places (the typical ones). CCleaner is
the same. AutoRuns checks everywhere known that startup programs can be
loaded. For example, there is a WinLogon registry entry that will run
startup programs when you login. There are file, folder, and other
objects in the registry than can have events assigned to them that can
load startup programs. msconfig.exe (and CCleaner) are rudimentary but
usually sufficient. When they are not sufficient, you need to use a
better tool.
Post by pyotr filipivich
Post by VanguardLH
Post by pyotr filipivich
other than apparently because MS thinks it a neat idea to run it.
Wrong. No version of Windows has ever had msinfo32.exe as a default
startup program.
Which is not the problem. The problem is, that when msinfo32 is
loaded and run, it hogs enough resources that for the next three to
five minutes, my computer is "closed for lunch". If lucky, I might
be able to get to the process msinfo32.exe before it is done and kill
it. Just as often, by the time I can do anything, the process has
closed and my computer is now "back from lunch" and ready to resume
working.
msinfo32 does not load, by default, upon Windows startup. 8 instances
of msinfo32.exe don't get loaded, by default. 1 instance shouldn't take
long but I've never tried to load 8 concurrent instances of it to see if
scanning by multiple instances will interfere with each other.

How fast msinfo32 collects the data depends on how fast it can scan. On
my current PC, it's just a second or two to complete the scanning. On
my older PC, it was a lot longer (don't remember how long but do
remember having to wait for it to complete its scan).

Why are you running 3 security programs (MalwareBytes
<someproductNotMentioned>, Comodo <something>, and Avast)? Are you
using MalwareBytes AntiMalware? If so, is it configured to cripple all
its on-access (real-time) features or is it the free version (after the
trial expires it cripples itself)? With Avast active, Malwarebytes
AntiMalware should only be used as a second-opinion on-demand (manual)
AV scanner. Did you include CAV (Comodo AntiVirus) in the Comodo
Internet suite? It's a limp AV, couldn't stand on its own, so Comodo
dumped it into their Internet suite to have it make use of the
heuristics monitor of their firewall program. Go into the Add/Remove
Programs entry for Comodo Internet and remove the CAV component. The
more programs you have scanning the same files they more they will
conflict with each other. In fact, I've seen where one AV was reading a
file that resulted in triggering another AV to scan the same file.
Since the 2nd AV scanned the file, the 1st AV saw the activity and
rescanned the same file. Within a couple minutes, the two AVs had
reread the same file over 4000 times. Disabling one AV (to use only as
an on-demand scanner) eliminated the conflict and the computer become
responsive again. The rule of thumb still applies: have only ONE
anti-virus active at a time.

Just as AVs can have false positives (goodware flagged as malware), it
can also have false negatives (missed malware). Did you scan your media
for where there are copies of msinfo32.exe and submit each to VirusTotal
as Paul suggested?

Another option is to use SysInternals' Process Explorer. It has an
option to check processes with VirusTotal. A column gets added named
VirusTotal. Process Explorer uses the VirusTotal API to submit checks
to the VirusTotal.com server. Go under Options -> VirusTotal menu to
enable the option. I think Process Hacker also supports VirusTotal
checking but requires the OnlineChecks plugin; however, I think
VirusTotal is "integrated" in Process Hacker but only means you can
right-click on a process or a DLL in the modules tab to then submit the
item for checking at VirusTotal.

No idea which edition of Windows 7 that you have. Is it the Home or
Professional edition? With the Pro edition, you can define SRPs
(Software Restriction Policies) in the policy editor (which Microsoft
omits in the Home edition). With SRPs, you can, for example, block an
executable from loading. You define a Path rule to the file and anytime
anything tries to open that executable the SRP will block that
executable from getting loaded. However, since you mentioned Comodo but
that is a company name, not a product name. If you installed their
firewall (alone or in their Internet suite), you can define rules on
executables to prevent them from loading. I think it is part of their
HIPS (Host Intrusion Prevention System) aka heuristics aka behavior
monitoring.
J. P. Gilliver (John)
2017-12-20 22:46:14 UTC
Permalink
Post by pyotr filipivich
Post by VanguardLH
I am not starting msinfgo32.exe something else is, and I have no idea
what it is.
So follow the instructions already provided to you on how to investigate
and find startup items. We're not there. You'll have to do the work.
You'll have to find the startup item that loads msinfo32.exe and delete
or disable it.
Sorry, my problem is that far too often, by the time I can "do"
anything - msinfo has completed its task and closed down.
Well, in that case, and since Mayayana has said (though not in these
words explicitly) it isn't needed for the computer to run, just - next
time you have control of the computer, i. e. "msinfo" ISN'T running -
rename it. (Make sure you find and rename ALL copies of it, too.) That
_should_ stop it ever running, since whatever's calling it will call
something that doesn't exist.

This doesn't explain why it's being called.

(It also doesn't explain why it's taking ages to run and using lots of
CPU when it does, when some here have said it ought to complete in a few
seconds. But rename them anyway.)

Also, when you're finding and renaming them, see if they're all the same
size/date/whatever; if one isn't, that's probably suspicious.
--
J. P. Gilliver. UMRA: 1960/<1985 MB++G()AL-IS-Ch++(p)***@T+H+Sh0!:`)DNAf

Radio 4 is the civilising influence in this country ... I think it is the most
important institution in this country. - John Humphrys, Radio Times
7-13/06/2003
pyotr filipivich
2017-12-21 05:08:00 UTC
Permalink
Post by J. P. Gilliver (John)
Post by pyotr filipivich
Sorry, my problem is that far too often, by the time I can "do"
anything - msinfo has completed its task and closed down.
Well, in that case, and since Mayayana has said (though not in these
words explicitly) it isn't needed for the computer to run, just - next
time you have control of the computer, i. e. "msinfo" ISN'T running -
rename it. (Make sure you find and rename ALL copies of it, too.) That
_should_ stop it ever running, since whatever's calling it will call
something that doesn't exist.
This doesn't explain why it's being called.
(It also doesn't explain why it's taking ages to run and using lots of
CPU when it does, when some here have said it ought to complete in a few
seconds. But rename them anyway.)
Also, when you're finding and renaming them, see if they're all the same
size/date/whatever; if one isn't, that's probably suspicious.
Thanks.

I had to reboot twice to get Windows to cooperate (it often fails
to update directories, so it thought it had six drives plugged in
which were not - three of which have names which it also didn't know;
device manage did not complete a scan for changes in hardware. Weasels
and Ferrets chasing each other through the underbrush, mass hysteria!)

Anyway, doing a "dir /s msinfo32.exe > g:\textfile.txt" I have
the following results:

creation dates ---size - file name

C:\Windows\System32
06/12/2017 14:14 PM 379,392 msinfo32.exe
1 File(s) 379,392 bytes
C:\Windows\SysWOW64
06/12/2017 14:06 PM 303,616 msinfo32.exe
1 File(s) 303,616 bytes
C:\Windows\winsxs\amd64_microsoft-windows-msinfo32-exe-common_31bf3856ad364e35_6.1.7601.17514_none_e46b048a01806891
11/20/2010 19:23 PM 378,880 msinfo32.exe
1 File(s) 378,880 bytes
C:\Windows\winsxs\amd64_microsoft-windows-msinfo32-exe-common_31bf3856ad364e35_6.1.7601.23841_none_e4d106ef1ab93db9
06/12/2017 14:14 PM 379,392 msinfo32.exe
1 File(s) 379,392 bytes
C:\Windows\winsxs\amd64_microsoft-windows-msinfo32-exe_31bf3856ad364e35_6.1.7601.17514_none_0a026c46104dd379
11/20/2010 19:23 PM 378,880 msinfo32.exe
1 File(s) 378,880 bytes
C:\Windows\winsxs\amd64_microsoft-windows-msinfo32-exe_31bf3856ad364e35_6.1.7601.23841_none_0a686eab2986a8a1
06/12/2017 14:14 PM 379,392 msinfo32.exe
1 File(s) 379,392 bytes
C:\Windows\winsxs\wow64_microsoft-windows-msinfo32-exe_31bf3856ad364e35_6.1.7601.17514_none_1457169844ae9574
11/20/2010 19:24 PM 303,104 msinfo32.exe
1 File(s) 303,104 bytes
C:\Windows\winsxs\wow64_microsoft-windows-msinfo32-exe_31bf3856ad364e35_6.1.7601.23841_none_14bd18fd5de76a9c
06/12/2017 14:06 PM 303,616 msinfo32.exe
1 File(s) 303,616 bytes
C:\Windows\winsxs\x86_microsoft-windows-msinfo32-exe-common_31bf3856ad364e35_6.1.7601.17514_none_884c69064922f75b
11/20/2010 19:24 PM 303,104 msinfo32.exe
1 File(s) 303,104 bytes
Directory of
C:\Windows\winsxs\x86_microsoft-windows-msinfo32-exe-common_31bf3856ad364e35_6.1.7601.23841_none_88b26b6b625bcc83
06/12/2017 14:06 PM 303,616 msinfo32.exe
1 File(s) 303,616 bytes

that's ten files for those keeping score at home.

Looking at the times and dates - I think "has it been that long
since I got this? Wait, didn't I get this after I got back in 2011?
Nope - 2014, refurbished, through Walmart.

Anwya -there they are listed,Tomorrow I may attempt to do battle
with gaining control of my computer so that I can change their names.
Everything takes longer than expected.


I have forgotten what I originally intended to have included in
the reply.
--
pyotr filipivich
Next month's Panel: Graft - Boon or blessing?
Paul
2017-12-19 08:20:09 UTC
Permalink
so that I can "quickly" suspend msinfo32.exe
Upload it to virustotal.com and scan it ?

It's probably a coin miner you picked up or something.

Just because malware has a "name you recognize", doesn't
mean it's a good guy. Obviously the run policy has nothing
to do with Microsoft, and it's running eight copies for
some other reason, unrelated to your computer usage.

Paul
pyotr filipivich
2017-12-19 17:13:21 UTC
Permalink
Ufda - my mistake.

I'm _not_ running Process Monitor

I'm running Process Hacker.

which still doesn't answer why Msinfo32 is starting itself..
Post by pyotr filipivich
Post by VanguardLH
I have taken to running Process Monitor with the processes sorted by
CPU usage, so that I can "quickly" suspend msinfo32exe when it grabs
"half" the cpu and freezes everything else. Usually I notice this
when PaleMoon is running and suddenly the mouse pointer just stops.
Then begins the move mouse on the desk and aim for the procmon window,
then try to get the pointer on msinfo32 and then suspending/
terminating it is "simple".
Googleing it leads me to the conclusion that MS seems to believe I
really do want to run it, when what I want to know is why is it
running in the first place? Why is it running up to eight copies,
and why is it hogging resources so much?
Does anyone have any good ideas on how to prevent this, or is this
another MS "enhancement to my computer experience" whether I like it
or not?
Did you leave logging on and on and on and ... All those events are
getting logged while ProcMon is running. Filtering only changes what
you see. ALL events are still logged. When that logfile gets huge, not
only does it require lots of resources to keep updating such a huge file
but can also eat up your free disk space with a huge log file. Did you
try clearing its logfile to start anew each time you start ProcMon?
I don't have ProcMon logging anything.
And msinfo32 will start up before I start Procmon. What happens
is all of a sudden the computer drops to a crawl, the mouse pointer
doesn't move, if I am patient, I'll work it over to a short cut, start
it, wait for it, work the pointer to the column CPU, sort by usage,
and work it down to msinfo32, and evenutal I'm able to suspend. (If I
am not patient, I use the BRS interupt to reboot)
Basically, I'm moving the mouse, then waiting for the screen to
catch up, then seeing if where I moved the mouse 15 seconds ago is the
correct spot, if not try again, and see if it's now in the correct
spot, and repeat - until either I can kill msinfo32, or it deigns to
return the use of the mouse/keyboard/computer in general to me.
Which still leaves me with this annoying problem that msinfo32 is
starting up just to start up and interfere with my computer experience
- whether I had procmonitor running or not. At least with procmonitor
running, I cut out several steps where I'm moving and clicking hoping
I found the shortcut when the mouse gets polled.
--
pyotr filipivich
Next month's Panel: Graft - Boon or blessing?
Loading...